Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5957
Views
0
Helpful
5
Replies

Start Anyconnect on WebVPN Portal

Go to solution
strakamar
Level 1
Level 1

‎01-05-2011 07:12 PM - edited ‎02-21-2020 05:04 PM

I am trying to remove the Start Anyconnect shortcut and any references to Start Anyconnect from the webvpn portal for a customization object I have.

I can disable it from the application section of the vpn customization which solves one issue. But after I connect with a user the default page it loads and in one of the frames has the start anyconnect. Once I select home, Web Applications,  Browse Networks which I have enabled I no longer have access unless of course I logout and then log back in.

Any Assistance in removing the start anyconnect frame showing up in the webvpn interface after a user first logs in would be great.

asdm 6.3

asa5510

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tgrundbacher
Level 1
Level 1
In response to dbgreekas

‎01-07-2011 02:28 AM

Hi

I'm not sure about what exaclty you want to achieve in which order, but maybe this helps: There are two methods that help distinguish and prioritize the use between 'SVC' (AnyConnect client) and 'WebVPN' (the clientless portal):

  1. Allowance of the use of SVC or WebVPN as such (per group policy).
  2. The options about how the ASA should deal with SVC upon user login into the clientless portal. Available options:
    • Select SVC automatically right away -> No dialog shown to the user, the portal homepage will never load.
    • Propose to use SVC through a portal dialog for a certain amount of seconds, then automatically select OR do NOT select it -> If the user doesn't act upon, the dialog will vanish in the process and the pre-configured SVC action will be taken.
    • Do not select or propose to use SVC at all -> Portal homepage will load, no reference to SVC is shown.

If you're familiar with the CLI, here are the commands that will help you customizing the methods to your liking (consult the command reference for your deployed OS if you should have any questions):

policy-group
vpn-tunnel-protocol {[IPSec] [l2tp-ipsec] [svc] [webvpn]}
webvpn
  svc ask {none | enable [default {webvpn | svc} [timeout seconds]]}

The default for ASA OS 8.2 is:

   svc ask none default webvpn

(-> Like that, no reference to SVC will be presented and SVC session will NOT be initiated through the clientless portal. Nevertheless, if you configured vpn-tunnel-protocol svc webvpn, the user will still be able to login with the AnyConnect client pre-installed locally on his machine, PARALLEL to being able to log in into the clientless portal.)

Regards

Toni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎01-05-2011 09:43 PM

You could go to the group-policy and disable the SVC protocol!

0 Helpful

Go to solution
strakamar
Level 1
Level 1
In response to Gustavo Medina

‎01-06-2011 06:48 AM

This group of users in that policy require both the  client and clientless access. So if I disable the svc protocol for that  policy I assume that the ssl vpn client would stop working. I could create a seperate profile but that would add some complexity for users.

What I would like if possible would be to remove it from the customization object (or the webvpn pages).

Thanks!

0 Helpful

Go to solution
dbgreekas
Level 1
Level 1
In response to strakamar

‎01-06-2011 04:23 PM

Do it with two profiles, you can hid the complexity from the users.

Webvpn users profile can be selected by URL, if you are using the default portal just map the URL to the default profile.

If you are deploying any connect to the users, just embed the Anyconnect profile selection in the configuration profile and any connect will just connect to the profile..

From the users point of view they will not need to know about profiles.

0 Helpful

Go to solution
tgrundbacher
Level 1
Level 1
In response to dbgreekas

‎01-07-2011 02:28 AM

Hi

I'm not sure about what exaclty you want to achieve in which order, but maybe this helps: There are two methods that help distinguish and prioritize the use between 'SVC' (AnyConnect client) and 'WebVPN' (the clientless portal):

  1. Allowance of the use of SVC or WebVPN as such (per group policy).
  2. The options about how the ASA should deal with SVC upon user login into the clientless portal. Available options:
    • Select SVC automatically right away -> No dialog shown to the user, the portal homepage will never load.
    • Propose to use SVC through a portal dialog for a certain amount of seconds, then automatically select OR do NOT select it -> If the user doesn't act upon, the dialog will vanish in the process and the pre-configured SVC action will be taken.
    • Do not select or propose to use SVC at all -> Portal homepage will load, no reference to SVC is shown.

If you're familiar with the CLI, here are the commands that will help you customizing the methods to your liking (consult the command reference for your deployed OS if you should have any questions):

policy-group
vpn-tunnel-protocol {[IPSec] [l2tp-ipsec] [svc] [webvpn]}
webvpn
  svc ask {none | enable [default {webvpn | svc} [timeout seconds]]}

The default for ASA OS 8.2 is:

   svc ask none default webvpn

(-> Like that, no reference to SVC will be presented and SVC session will NOT be initiated through the clientless portal. Nevertheless, if you configured vpn-tunnel-protocol svc webvpn, the user will still be able to login with the AnyConnect client pre-installed locally on his machine, PARALLEL to being able to log in into the clientless portal.)

Regards

Toni

0 Helpful

Go to solution
strakamar
Level 1
Level 1
In response to tgrundbacher

‎01-07-2011 06:41 AM

I had contacted tac and spoke with a fantastic engineer. The resolution was in the Dynamic Access Policy (DAP). We changed the Access Method to "unchanged" and that removed the "Start Anyconnect" frame from showing up when you first login on the webvpn.

Thanks To All!

0 Helpful
Customers Also Viewed These Support Documents